Methods and apparatus for fraud detection and remediation in knowledge-based authentication

- EMC Corporation

Methods and apparatus are provided for fraud detection and remediation in knowledge-based authentication (KBA). A knowledge-based authentication method is performed by a server for restricting access of a user to a restricted resource. The exemplary knowledge-based authentication method comprises challenging the user with one or more questions requiring knowledge by the user; receiving a response from the user to the one or more questions, wherein at least a portion of the response is encoded by the user using an encoding scheme defined between the server and the user to signal a fraudulent access attempt; and granting access to the restricted resource if one or more predefined response criteria are satisfied, wherein the one or more predefined response criteria comprises an assessment of whether the encoded portion of the response satisfies the encoding scheme. A number of exemplary encoding schemes are disclosed.

Skip to: Description  ·  Claims  ·  References Cited  · Patent History  ·  Patent History
Description
CROSS-REFERENCE TO RELATED APPLICATION

The present application is related to U.S. patent application Ser. No. 13/436,080, entitled “Methods and Apparatus for Knowledge-Based Authentication Using Historically-Aware Questionnaires,” filed contemporaneously herewith and incorporated by reference herein.

FIELD OF THE INVENTION

The present invention relates generally to the field of user authentication, and more particularly to authentication techniques that permit a user to authenticate to a protected resource, such as a web site or some type of processing device.

BACKGROUND OF THE INVENTION

Knowledge-based authentication (KBA) refers to a user-authentication process that seeks to verify the identity of an individual accessing a protected resource, such as a web site, using secret information to establish trust between the individual and a server. KBA requires the knowledge of personal information of the individual to grant access to the protected resource.

Existing KBA processes generally rely on the following underlying axiom: Demonstrating knowledge of some personal information, typically shared among the user and the server, is equivalent to proving the user's identity to the server. KBA is often used for sensitive status updates (e.g., password resets, personal record updates or banking information updates), where the user is required to provide the answer to one or more personal questions. The answers are generally considered to be easy to remember by the user but unknown by others.

Static KBA is based on a set of previously shared secrets and challenges the user to provide the server with some secret (to the general public) user-specific information that has been previously shared between the user and the server during a set-up phase. Dynamic KBA is based on questions generated from a wider base of personal information. Dynamic KBA is generally considered an “on-the-fly” generation of personal information by the server based on, for example, the user's record, account and/or profile. For dynamic KBA, the user does not know in advance the question (challenge) that will be asked by the server.

While KBA offers a valuable authentication mechanism, KBA suffers from a number of limitations related to the prediction or discovering power of an attacker, which if overcome, could further improve the security and utility of KBA. For example, to allow the users to easily recall and correctly provide the answers to the questions that they are challenged with, KBA typically uses secrets that come from sets that do not have high entropy. Thus, KBA secrets are often easy to remember, and are often also easy to guess. For instance, the search space for guessing a randomly selected password comprised of eight case-sensitive characters, numbers or symbols is of a size of at least 648 (=248) whereas the search space for guessing the birth city of an individual corresponds to the number of cities in the world, i.e., 248,752(<218) (according to the 2007 Getty Thesaurus of Geographic names). KBA is thus often only used as an auxiliary means of authentication (e.g., in combination with high-entropy passwords).

KBA is vulnerable to brute-force or dictionary attacks, i.e., an exhaustive search through the small search space of the answers of a given question. In this case, the attacker has no information about the secret, other than that it comes from a fixed, well-defined universe (of relatively small size). In practice, dictionary attacks can search in even smaller search spaces if some background information is given about the victim user.

In addition, with the advent of the Internet, the plethora of Web data and the growth of social networking, the dividing line between what constitutes personal secret information and what may be personal but “guessable or discoverable” information is no longer clear. For instance, a person's mother's maiden name may be easy to obtain through social engineering methods. Furthermore, an attacker may attempt sophisticated data-mining attacks against a victim user's personal data from large volumes of general data that becomes legitimately available to the public or to selected communities. For example, a data mining effort over public records for a significant percentage of a targeted population of Texas residents also revealed mothers' maiden names.

Therefore, such attacks raise a big challenge for KBA authentication. A need therefore exists for techniques for preventing fraud related to KBA. Yet another need exists for improved KBA authentication techniques that permit the detection and remediation of fraud.

SUMMARY OF THE INVENTION

Generally, methods and apparatus are provided for fraud detection and remediation in knowledge-based authentication (KBA). According to one aspect of the invention, a knowledge-based authentication method is performed by a server for restricting access of a user to a restricted resource. The exemplary knowledge-based authentication method comprises challenging the user with one or more questions requiring knowledge by the user; receiving a response from the user to the one or more questions, wherein at least a portion of the response is encoded by the user using an encoding scheme defined between the server and the user to signal a fraudulent access attempt; and granting access to the restricted resource if one or more predefined response criteria are satisfied, wherein the one or more predefined response criteria comprises an assessment of whether the encoded portion of the response satisfies the encoding scheme.

A number of exemplary encoding schemes are disclosed. For example, the encoding scheme can comprise i) an intentionally incorrect answer to a particular question among a plurality of questions; ii) an n-th order answer to a particular question having a plurality of possible answers; iii) a requirement that the user shall not answer any question that addresses a previously defined blocked topic; iv) determining an index based on answers of the user to a plurality of control questions, wherein the index identifies one of a plurality of possible equivalent answers to a primary question; and v) an index based on answers of the user to a plurality of control questions, wherein the index identifies one of a plurality of possible queries that can be answered in a database containing information that is personal to the user.

A confidence score can optionally be determined based on the assessment of whether the encoded portion of the response satisfies the encoding scheme. The confidence score can assess a credibility of the user. The predefined response criteria can evaluate the confidence score relative to a threshold. A fraud remediation method can be implemented when the confidence score is within a predefined tolerance of the threshold.

According to a further aspect of the invention, the exemplary knowledge-based authentication method comprises receiving a plurality of answers from the user during a set-up phase to a set of personal questions, wherein at least one of the answers encode one or more of historical, inter-relational and contextual information of the user; challenging the user with one or more questions from the set of personal questions; receiving a response from the user to the one or more questions from the set; assigning a score to the response, wherein the score is based on the encoded information; and granting access to the restricted resource based on the score. The set-up phase can optionally be repeated to update the set of personal questions, the corresponding answers and/or the encoded historical, inter-relational or contextual information of the user.

The challenge optionally comprises the step of challenging the user with a set of C=ƒ(Q, A, I(Q), S) challenge questions, where ƒ is a function applied on the initial set of questions Q, their corresponding answers A, the encoded information I(Q) and additional state information S. The server applies a function g to the {Q, A, I(Q), C, A(C), S} to assign the score, wherein Q is the initial set of questions, A comprises the corresponding answers to the initial set of questions, I(Q) is the encoded information, C is the set of challenge questions, A(C) comprises the corresponding answers to C, and S comprises additional state information. A user-specific state {t, Q, A, I(Q), S} is optionally updated by applying a function h on {w, t, Q, A, I(Q), S}, where w is the score, t is a threshold, Q is the initial set of questions, A comprises the corresponding answers, I(Q) is the encoded information and S comprises additional state information.

The authentication and communication techniques of the illustrative embodiments overcome one or more of the problems associated with the conventional techniques described previously, and permit users to authenticate themselves using silent-alarm knowledge based authentication. Moreover, no modification of the applications or communication protocols is required. These and other features and advantages of the present invention will become more readily apparent from the accompanying drawings and the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart describing an exemplary KBA set-up process incorporating aspects of the present invention;

FIG. 2 is a flow chart describing an exemplary KBA challenge process incorporating aspects of the present invention;

FIG. 3 is a flow chart describing an exemplary historically-aware SA-KBA proces;

FIG. 4 is a flow chart describing an exemplary intentional-failure SA-KBA process;

FIG. 5 is a flow chart describing an exemplary fictitious question SA-KBA process;

FIG. 6 is a flow chart describing an exemplary multiplexed question SA-KBA process;

FIG. 7 is a flow chart describing an exemplary query-based SA-KBA process;

FIG. 8 illustrates an exemplary SA-KBA response handling process incorporating aspects of the present invention;

FIG. 9 illlustrates an exemplary silent-alarm knowledge-based authentication system in accordance with the present invention; and

FIG. 10 shows a more detailed view of one possible implementation of a personal computing device or server of the FIG. 9 system.

 DETAILED DESCRIPTION

The present invention provides methods and apparatus for fraud detection and remediation in knowledge-based authentication systems. The disclosed methods allow the server to gather evidence about impersonation attempts performed by an attacker. Using user-specific behavioral, historical or contextual meta-data information, the disclosed exemplary fraud-detection methods exploit an informational gap that exists between the knowledge set of the legitimate user and that of a malicious impersonator.

According to one aspect of the invention, KBA authentication is augmented with an additional level of communication, referred to as a silent alarm alert, between the user and the server to indicate the credibility of the user. As discussed hereinafer, this communication is indirect, i.e., it is embedded in the primitive communication between the user and the server (i.e., embedded in the communication normally performed between the user and the server to provide the shared secret information, e.g., by providing an answer with some personal information). This added level of communication can be considered a silent alarm, i.e., a special-purpose undetectable alert message that provides an additional indication about the “credibility” (or lack thereof) of the user.

The disclosed exemplary fraud-detection methods enable the triggering of a “silent alarm” whenever it is determined that fraudulent authentication is performed; this alarm carries a score signal and the stronger the score signal the higher the confidence about the fraudulent attempt. Depending on the strength of this score signal, the server decides on an appropriate remediation strategy. A number of exemplary fraud remediation methods are discussed further below in conjunction with FIG. 8 that allow the authentication server to respond to attempted impersonation attacks in an effective way with respect to aspects such as user data protection, intrusion evidence construction, impersonator identification and data-leak source discovery.

U.S. patent application Ser. No. 13/249,957, filed Sep. 30, 2011, entitled “Methods and Apparatus for Secure and Reliable Transmission of Messages Over a Silent Alarm Channel,” (now U.S. Pat. No. 8,788,817), incorporated by reference herein, discloses silent alarm channels that are cryptographically protected channels between potentially compromised devices and a trustworthy log-collection point or server. A silent alarm implements a cryptographic channel between a sender and a receiver through which messages are transmitted: (1) securely (i.e., the alarm is unreadable and unchangeable), (2) undetectably (i.e., the alarm is silent), and (3) persistently (i.e., the alarm cannot be turned off). The alert messages can serve as a differentiating feature that allows the server to decide if the communicating party is the true user or an attacker trying to impersonate the true user.

It is noted that the silent alarms employed by the present invention need not incorporate the cryptographic aspects of the silent alarms disclosed in U.S. patent application Ser. No. 13/249,957.

According to a further aspect of the present invention, the main authentication dimension of the disclosed KBA techniques remains the knowledge of a secret. The additional silent alarm aspect, however, allows the server to operate with “surrounding” information that can be used to identify fraudulent authentication attempts.

Silent-alarm knowledge-based authentication (or SA-KBA for short) is based on a new postulate around what constitutes truly personal knowledge. SA-KBA is not only about knowing facts, but also about knowing the complete history, interrelation, and contextual metadata of facts. The disclosed SA-KBA techniques ask a user to demonstrate knowledge of the meaning, temporal interconnection, and content correlation of some predefined, user-server shared personal information to prove the user's identity to the server.

The disclosed framework for fraud-detection in KBA authentication involves a set-up phase and a challenge phase. An exemplary silent-alarm knowledge-based authentication system 900 is discussed further below in conjunction with FIG. 9.

FIG. 1 is a flow chart describing an exemplary KBA set-up process 100 incorporating aspects of the present invention. As shown in FIG. 1, the exemplary KBA set-up process 100 initially sets up the KBA authentication system during step 110 by having the user communicating with the server, where the user answers a set Q of personal questions. The questions in Q can be predefined or generated on-the-fly during this communication step. The set Q of server's questions is defined and the corresponding set A of user's answers is constructed during step 120 by encoding important historical, inter-relational and contextual information I(Q). The server stores Q, A and I(Q). The setup phase can optionally, periodically or on-demand, be repeated during step 130, where the set Q of personal questions, their corresponding answers A and the encoded historical, inter-relational and contextual information I(Q) is optionally updated or augmented. In any such setup phase the user is authenticated through some strong form of authentication.

FIG. 2 is a flow chart describing an exemplary KBA challenge process 200 incorporating aspects of the present invention. As shown in FIG. 2, during step 210, the user is initially challenged with a set of C=ƒ(Q,A,I(Q),S) challenge questions, where ƒ is some (possibly probabilistic) function applied on the initial set of questions Q, their corresponding answers A, the contextual information I(Q) and some additional state information S. For example, in the simplest case, ƒ defines a random subset C of Q. Then, the user provides a set of corresponding answers A(C). According to one aspect of the invention, an indirect silent alarm is embedded in the answers provided by the user.

During step 220, the server processes {Q, A, I(Q), C, A(C), S}, by applying some (possibly probabilistic) function g, and assigns a score wε[0,1] to the authentication attempt of the user. The score w corresponds to the strength of the silent-alarm signal and is defined, for example, such that the closer the score is to 1 (on a scale of 0 to 1), the more likely it is that the user has been impersonated.

A test is performed during step 230, to determine if w is higher than a predetermined or dynamically resettable user-specific threshold value t. If it is determined during step 230 that w is higher than the threshold value t, then the server proceeds with some well-defined fraud-detection or fraud-remediation actions during step 240, as discussed further below. If, however, it is determined during step 230 that w is not higher than the threshold value t, then the server updates the user-specific state {t, Q, A, I(Q), S} by applying some (possible probabilistic) function h on {w, t, Q, A, I(Q), S} during step 250 (e.g., the server updates the threshold t or the user's set of questions Q or the user's contextual information I(Q) or the user's additional state information S or any combination of the above).

An exemplary SA-KBA response handling process 800 is discussed further below in conjunction with FIG. 8.

Exemplary SA-KBA Methods

History-Aware Questionnaires

FIG. 3 is a flow chart describing an exemplary historically-aware SA-KBA process 300. As shown in FIG. 3, during the setup phase, the server asks the user during step 310 for all historically different answers to the same question or for history-aware answers to a set of inter-related but different questions. As used herein, a “history-aware answer” comprises an answer to a given question that is accurate for an indicated date or period of time. In this manner, by providing historically different answers to the same question or history-aware answers to a set of inter-related questions, the user demonstrates with high confidence that the user has global knowledge of multiple related events that occur over a period of time or simultaneously in time.

For instance, it asks for all different states that a user has lived, where answers are given in chronological order and with placements in time, e.g., from 1968 to 1994 in MA, from 1994 to 1999 in CA and from 1999 until present in TX. Then, during the challenge phase, the server asks the user during step 320 the question in a manner that tests the historical knowledge of the user with respect to temporal or geo-temporal aspects, such as the current state of the user, the exact ordering in time of certain events, the exact correlation of user's past activities across time and geolocation. For example,

    • In the question “State of your current house?” any answer other than TX will increase the fraudulent score of the user. The higher the temporal discrepancy, the higher the score.
    • In the question “State you watched the 1992 Olympic games in Barcelona?” any answer other than MA will increase the fraudulent score of the user. The higher the temporal discrepancy, the higher the score.

In this manner, an attacker who makes use of sporadic/opportunistic on-line data will be less likely able to recreate the complete geo-temporal history of the residencies of a victim.

Intentional-Failure Questionnaires

FIG. 4 is a flow chart describing an exemplary intentional-failure SA-KBA process 400.

Generally, the user is supposed to answer a particular question in a set of questions incorrectly in a way that is encoded by the answer to another question or some preset secret “slack” value. For instance, assume that the user chooses (or is assigned by the server) a slack value of 3. This value can be used to create discrepancies in the answers provided by the user that are predictable by the server but unpredictable by the attacker.

As shown in FIG. 4, during step 410, the server initially asks the user for answers to a set of questions. In addition, in one exemplary embodiment, the user and server agree during step 420 on a particular slack value, such as a slack value of 3, or an answer index, as discussed below.

Then, during the challenge phase, the server asks the user a set of questions during step 430 in a mariner that tests whether the user intentionally fails a particular question. For example, in a series of k>3 questions, the user is supposed to incorrectly respond to question number 3,

In a history-aware type of question that is appropriately defined in the setup phase, the user is supposed to answer with the 3rd order answer (e.g., 3rd order state of residence). Thus, during the challenge, the server asks the user a set of questions during step 430 in a manner that tests the users knowledge of the predefined answer index that is required in addition to the necessary knowledge to answer the question (e.g., 3rd order state of residence).

Fictitious Questionnaires

FIG. 5 is a flow chart describing an exemplary fictitious question SA-KBA process 500. Generally, the server and user agree on a blocked topic that the user should never answer at all, based on a preset secret “poison” pattern. For example, the user is set up so that he or she never answers questions that are related to preference or names. Again, fictitious questions can be specific to history-aware context, e.g., one is not supposed to ever answer about his or her first (oldest) state residence.

As shown in FIG. 5, during step 510, the server initially asks the user for answers to one or more questions. In addition, in one exemplary embodiment, the user and server agree during step 520 to a predefined blocked topic that the user should never answer about. Then, during the challenge phase, the server asks the user a set of questions during step 530 that includes at least one fictitious question. If the user answers a question that addresses a blocked topic, the server can detect a fraudulent access attempt.

Multiplexing Questionnaires

FIG. 6 is a flow chart describing an exemplary multiplexed question SA-KBA process 600. Generally, during the setup phase, the user maps a primary set of questions C to two or more sets of equivalent answers A1(C), A2 (C), . . . Al(X) during step 610. Each question in a primary set of questions C is thus mapped to l equivalent answers, where the equivalent answers are referred to as the information set of size l for questions C.

Then, during the challenge phase, on challenge (Ĉ, C), where Ĉ=k≧2 and where C has an answer information set of size l=2k, the user first answers k “control” questions in set Ĉ during step 620, which consists of k yes/no questions, i.e., each question in Ĉ admits a “yes” or a “no” as an answer. Let a=(a1, a2, . . . , ak) be the k-bit string that represents the yes/no answers given by the user, where ai=1 if and only if the answer to the corresponding i-th question in Ĉ is “yes.” In other words, the answer a=(a1, a2, . . . , ak) to the set of control questions provides an index to which of the l equivalent answers should be provided to the primary question(s). Thus, during step 630, the user is supposed to answer the questions in C with the a-th equivalent answer in the information set of size l for questions in C. Here, it is assumed that this information set is ordered according to some ordering so that the equivalent answer of rank a is well defined.

For example, if l=4, there are 4 possible equivalent answers. If the user is supposed to provide the second equivalent answer (corresponding to a binary value of 1 0), then the user is challenged with two control questions having answers of yes and no, respectively. The answers to the control questions provides an indication to the user to provide the second equivalent answer.

If the user answers a question with a different equivalent answer than the equivalent answer indexed by the answer to the control questions, the server can detect a fraudulent access attempt.

Query-Based Questionnaires

FIG. 7 is a flow chart describing an exemplary query-based SA-KBA process 700. Generally, the answers to control questions provide an index into a list of queries that can be answered in a database D containing information that is personal to the user. In other words, the answers to the control questions determine the particular query question that is answered in the user database D. In this manner, the query is determined dynamically or “on the fly” and provides protection against an attacker.

Thus, the user answers to a challenge by providing secret information that corresponds to the answer a to a query q on its personal-record database D kept by the server.

In the setup phase, the user provides information during step 710 that is used to map the answers to a set of yes/no “control” questions to a query on the user's personal-record database that the server has access to. Then, in the challenge phase, the user is challenged during step 720 with a series of such control questions followed by a question that corresponds to a query q on the user's database D. This challenge query q in step 720 is the query to which the answers to the control questions are mapped according to the mapping of the setup phase. The user has to answer this challenge query q during step 730 with the exact answer a to q according to the current contents of his/her personal database D.

For instance, consider a laptop that has been lost and an attacker attempts accessing the contents of the hard drive. In this case the system (i.e., the server in our model) may ask KBA type of questions to the attacker as follows. The contents of the hard drive is viewed as a database and the attacker is challenged with a query q that depends on information initially provided by the legitimate user and perhaps by previous challenge KBA questions answered by the attacker. Then the KBA answer provided by the attacker should be consistent with this exact answer a that corresponds to query q.

Fraud-Remediation Methods

The exemplary silent-alarm general approach described herein aims to distinguish between three classes of authentication attempts:

1. Legitimate authentication attempt is performed by legitimate user who provides correct, authentic credentials;

2. Non-legitimate authentication attempt is performed by impersonator who guesses answers based on data-mining techniques;

3. Non-legitimate authentication attempt is performed by attacker who performs a dictionary attack.

FIG. 8 illustrates an exemplary SA-KBA response handling process 800 incorporating aspects of the present invention. Generally, the exemplary SA-KBA response handling process 800 classifies the three exemplary classes of authentication attempts as follows. As shown in FIG. 8, the exemplary SA-KBA response handling process 800 initiallly receives a response from a user during step 810. The exemplary SA-KBA response handling process 800 computes the corresponding score w during step 820, as discussed above.

A test is performed during step 830, to compare the score w to the threshold t. If it is determined during step 830 that the score w is below the threshold t, then the response is believed to be associated with a legitimate authentication attempt. The associated score W assigned to the current authentication attempt is low (actually, it is far lower than the threshold t) and therefore access is granted during step 840 (perhaps with some post-authentication update of the user's state that is kept by the server according to our new silent-alarm and score-based KBA method).

If it is determined during step 830 that the score w is above the threshold t, then the response is believed to be associated with a dictionary attack. The associated score W is high (actually, it is typically far higher than the threshold t) and therefore access is denied during step 850.

If, however, it is determined during step 830 that the score w is close to the threshold t (e.g., w is within a predefined tolerance of the threshold), then the access is believed to be a non-legitimate authentication attempt by impersonator guessing answers based on data-mining techniques. It is unclear how to best react to an authentication attempt that with some confidence falls into the second category above. In this case, the associated score w assigned to the current authentication attempt may be close to the threshold t, which provides high-confidence evidence that the authentication attempt must be treated with care as it may correspond to an impersonation attack. Ideally, the server should react in such a way that handles an authentication attack in the best possible way according to the specific impersonation attempt that has been detected.

An appropriate fraud remediation method is applied during step 860, as discussed below. Four exemplary fraud remediation methods are described hereinafter for fraud attempts that are detected through the usage of silent alarms and that are labelled as “data-mining” fraud attacks:

A “conservative response” can employ access denial and event sharing. With this conservative method, the server conservatively denies the transaction, logs this denied attempt and passes this evidence to the appropriate intrusion-detection system or to the personnel of a Security Operation Center.

An “intelligent response” can employ plausible-data categorization. With this intelligent method, the server differentiates its behavior according to whether the received responses are plausible as opposed to being correct. Plausible data refers to data that is thematically close to the correct data but does not exactly overlap with correct data, and it is considered as the result of a non-legitimate authentication attempt by an attacker who has previously used data-mining techniques for collecting information about a target victim user. A distance metric is defined over the space of all possible answers, and the server performs a taxonomy of different types of answers. The distance metric is used to label answers as plausible but not accurate (correct). For example, consider the case where an attacker mines that a specific user is interested in sports; a therefore the attacker uses some guessed sport value or same stale (previously but not currently valid) value as the favorite sport of the user. Then, the server does not simply deny access but also calculates the distance between the actual answer and the received answer to appropriately label this failed authentication attempt. Based on this labeling, the server acts appropriately: if the answer is accurate, access is granted, otherwise access is denied but with a “data-mining” label. Note that this technique can be combined with the silent-alarm scoring technique to add another layer of intelligence around the detection of fraudulent authentication attempts.

An “aggressive response” can employ further interrogation. With this aggressive method, the server asks further questions of the user in order to collect useful information about the source of a breach.

A “stealthy response” can employ honeypot usage. With this stealthy method, the server mimics normal behavior (i.e., in particular, the server gives access to the user but in a possibly restricted but stealthy way) and continues with data collection and further investigation so that more evidence about the attacker is gathered until eventually the attacker's identity is fully revealed.

Silent-Alarm Knowledge-Based Authentication (SA-KBA) System

FIG. 9 illustrates an exemplary silent-alarm knowledge-based authentication system 900 in accordance with the present invention. As shown in FIG. 9, the exemplary silent-alarm knowledge-based authentication system 900 comprises a personal computing device 902, a network 904, and one or more web servers 906. The personal computing device 902 may be, for example, a desktop, laptop or palmtop PC, a mobile telephone, a personal digital assistant (PDA), a wireless email device, a workstation, a kiosk, a television set-top box, a game console, or any other information processing device configured to support silent-alarm knowledge-based user authentication as described herein. A given server 906 may be implemented as a computer or other stand-alone processing platform, or may be distributed over multiple processing platforms comprising multiple separate computers. Numerous other arrangements of one or more servers are possible in the silent-alarm knowledge-based authentication system 900. The personal computing device 902 and the server(s) 906 are examples of what are more generally referred to herein as “processing devices.”

The personal computing device 902 will generally include a user interface through which an associated user can interact with the system. This interaction allows the user to authenticate to the system so as to obtain access to a protected resource without requiring the user to present a predetermined credential such as an established PIN or a password from a particular authentication token.

The protected resource may be designated functionality of the personal computing device itself. In such an arrangement, the user is able to access the interface in order to attempt to authenticate but is not granted access to any other functionality of the personal computing device until such time as the user is authenticated. An important advantage of an arrangement of this type is that the personal computing device need not have network connectivity at the time of the access request.

Alternatively, the protected resource may be a resource of the server(s) 906 or a resource accessible via the server(s) 906. In such an arrangement, the user interface of the personal computing device 902 may still be used to obtain user input as part of a process in which the user authenticates to the server(s).

The network 904, although illustratively shown as the Internet, may comprise, for example, a wide area network (WAN), a local area network (LAN), a satellite network, a telephone or cable network, or various portions or combinations of these and other types of networks.

The silent-alarm knowledge-based user authentication may be utilized to provide backup or emergency authentication in the event a user does not have his or her appropriate predetermined credential(s) readily available. Thus, any of a wide variety of conventional primary authentication processes may also be implemented using the system 900. These primary authentication processes may be utilized when the user is in possession of his or her appropriate predetermined credential(s). Such primary authentication processes are well known to those skilled in the art. Alternatively, the silent-alarm knowledge-based user authentication may itself serve as a primary authentication process in the system, or as an adjunct authentication process intended to enhance the security of one or more existing authentication processes.

It is to be appreciated that a given embodiment of the system 100 may include multiple instances of personal computing device 902, network 904 and server set 906, although only single instances of such components are shown in the simplified system diagram for clarity of illustration. For example, a given user may have multiple personal computing devices that access different sets of servers over different networks.

Referring now to FIG. 10, a more detailed illustrative implementation of a processing device of the system 900 is shown. The processing device shown may be viewed as representing personal computing device 902 or a given server 906. The processing device 902 or 906 comprises a memory 1020 coupled to a processor 1022. The processor 1022 is also coupled to interface circuitry comprising network interfaces 1024. A given such network interface is utilized for communicating in a conventional manner with the network 904.

The various elements 1020, 1022 and 1024 of FIG. 10 may be implemented in whole or in part as a conventional microprocessor, microcontroller, digital signal processor, application-specific integrated circuit (ASIC) or other type of circuitry, as well as portions or combinations of such circuitry elements. As will be appreciated by those skilled in the art, portions of a dynamic knowledge-based user authentication process in accordance with an embodiment of the invention can be implemented at least in part in the form of one or more software programs that are stored at least in part in memory 1020 and executed by processor 1022.

Also included in processing device 902 or 906 as shown in FIG. 10 are a number of additional elements, including stored information 1040 and an authentication component 1044. One or more of these elements may be implemented at least in part in the form of software that is stored in the memory 1020 and executed by the processor 1022. One skilled in the art would be readily able to implement such software given the teachings provided herein. The memory 1020 is an example of what is more generally referred to herein as a “processor-readable storage medium.”

The processing device 902 or 906 is configured to support silent alarm knowledge-based user authentication utilizing elements 1040 and 1044, as discussed above in conjunction with FIGS. 2 through 8.

Generally, the stored information 1040 may comprise, for example, stored data and meta-data indicative of a manner in which the user had utilized the protected resource during one or more previous authenticated accesses to the protected resource. The meta-data may be used to determine previous access times for files and other information elements of the protected resource. It is important to note that the stored information 1040 will typically comprise information that is already present in the processing device, such as stored files and associated meta-data. Such information is stored in the ordinary course of operation of the processing device, and may be used as a basis for user authentication as described herein.

In a given embodiment, the stored information 1040 is entirely within the personal computing device 902. As mentioned above, this is a particularly advantageous arrangement in that the personal computing device need not have network connectivity at the time of the access attempt.

The authentication component 1044 receives input from the user regarding one or more characteristics of the stored information 1040. For example, the authentication component 1044 may formulate a number of questions based on the characteristic(s). The authentication component 1044 grants or denies access to the protected resource based at least in part on the input received from the user, as discussed above in conjunction with FIG. 8.

CONCLUSION

As previously indicated, the above-described embodiments of the invention are presented by way of illustrative example only. Numerous variations and other alternative embodiments may be used, as noted above.

The present invention provides methods and apparatus for implementing silent-alarm knowledge-based authentication. The disclosed silent-alarm knowledge-based authentication methods and system, for example, can provide an alarm indicator when an attacker attempts to impersonate a user.

Additional details regarding certain conventional cryptographic techniques referred to herein may be found in, e.g., A. J. Menezes et al., Handbook of Applied Cryptography, CRC Press, 1997, which is incorporated by reference herein.

The illustrative embodiments of the invention as described herein provide silent-alarm knowledge-based authentication. Advantageously, the illustrative embodiments do not require changes to existing communication protocols. It is therefore transparent to both existing applications and communication protocols.

It should again be emphasized that the particular authentication and communication techniques described above are provided by way of illustration, and should not be construed as limiting the present invention to any specific embodiment or group of embodiments. For example, as previously noted, the described embodiments may be adapted in a straightforward manner to operate with other types of credentials or authentication information. Also, the particular configuration of system elements, and their interactions, may be varied in other embodiments. Moreover, the various simplifying assumptions made above in the course of describing the illustrative embodiments should also be viewed as exemplary rather than as requirements or limitations of the invention. Numerous alternative embodiments within the scope of the appended claims will be readily apparent to those skilled in the art.

Claims

1. A knowledge-based authentication method performed by a server for restricting access of a user to a restricted resource, comprising the steps of:

challenging said user with one or more questions requiring knowledge by said user, wherein said user previously provided one or more answers to said one or more questions during a set-up phase, wherein at least one of said answers provided by said user encode one or more of historical, inter-relational and contextual information of said user using an encoding scheme defined between said server and said user to signal a fraudulent access attempt;
receiving a response from said user to said one or more questions, wherein at least a portion of said response is encoded by said user using said encoding scheme defined between said server and said user to signal said fraudulent access attempt; and
granting access to said restricted resource if one or more predefined response criteria are satisfied, wherein said one or more predefined response criteria comprises an assessment of whether said encoded portion of said response satisfies said encoding scheme, wherein at least one of said steps are performed by at least one hardware device.

2. The method of claim 1, wherein said encoding scheme comprises an intentionally incorrect answer to a particular question among a plurality of questions.

3. The method of claim 2, wherein said particular question is determined by a slack value defined between said server and said user.

4. The method of claim 1, wherein said encoding scheme comprises providing an n-th order answer to a particular question having a plurality of possible answers.

5. The method of claim 4, wherein said n-th order is previously defined between said server and said user.

6. The method of claim 1, wherein said encoding scheme comprises a requirement that said user shall not answer any question that addresses a previously defined blocked topic.

7. The method of claim 1, wherein said encoding scheme comprises determining an index based on answers of said user to a plurality of control questions, wherein said index identifies one of a plurality of possible equivalent answers to a primary question.

8. The method of claim 1, wherein said encoding scheme comprises determining an index based on answers of said user to a plurality of control questions, wherein said index identifies one of a plurality of possible queries that can be answered in a database containing information that is personal to the user.

9. The method of claim 1, further comprising the step of determining a confidence score based on said assessment of whether said encoded portion of said response satisfies said encoding scheme.

10. The method of claim 9, wherein said confidence score assesses a credibility of said user.

11. The method of claim 9, wherein said predefined response criteria evaluates said confidence score relative to a threshold.

12. The method of claim 11, further comprising the step of employing a fraud remediation method when said confidence score is within a predefined tolerance of said threshold.

13. The method of claim 12, wherein said fraud remediation method comprises one or more of denying access and sending a notification of said access attempt.

14. The method of claim 12, wherein said fraud remediation method comprises classifying said response as plausible or correct.

15. The method of claim 14, further comprising the steps of calculating a distance between an actual answer and a received answer and labeling a plausible response as a data mining access attempt.

16. The method of claim 12, wherein said fraud remediation method comprises further interrogation of said user.

17. The method of claim 12, wherein said fraud remediation method comprises granting access to said user and investigating said user to determine an identity of said user.

18. A knowledge-based authentication method performed by a server for restricting access of a user to a restricted resource, comprising the steps of:

receiving a plurality of answers from said user during a set-up phase to a set of personal questions, wherein at least one of said answers received from said user encode one or more of historical, inter-relational and contextual information of said user using an encoding scheme defined between said server and said user to signal a fraudulent access attempt;
challenging said user with one or more questions from said set of personal questions;
receiving a response from said user to said one or more questions from said set;
assigning a score to said response, wherein said score is based on said encoded information; and
granting access to said restricted resource based on said score, wherein at least one of said steps are performed by at least one hardware device.

19. The method of claim 18, further comprising the step of repeating said set-up phase to update one or more of said set of personal questions, said corresponding answers and said encoded historical, inter-relational or contextual information of said user.

20. The method of claim 18, wherein said score indicates a likelihood that said user has been impersonated.

21. The method of claim 18, wherein said score is evaluated relative to a threshold.

22. The method of claim 21, further comprising the step of employing a fraud remediation method when said score is within a predefined tolerance of said threshold.

23. The method of claim 22, wherein said fraud remediation method comprises one or more of denying access and sending a notification of said access attempt.

24. The method of claim 22, wherein said fraud remediation method comprises classifying said response as plausible or correct.

25. The method of claim 24, further comprising the steps of calculating a distance between an actual answer and a received answer and labeling a plausible response as a data mining access attempt.

26. The method of claim 22, wherein said fraud remediation method comprises further interrogation of said user.

27. The method of claim 22, wherein said fraud remediation method comprises granting access to said user and investigating said user to determine an identity of said user.

28. The method of claim 18, wherein said challenging step further comprises the step of challenging said user with a set of C=ƒ(Q, A, I(Q), S) challenge questions, where ƒ is a function applied on an initial set of questions Q, their corresponding answers A, the encoded information I(Q) and additional state information S.

29. The method of claim 28, wherein said function ƒ generates a random subset C of Q.

30. The method of claim 28, wherein said function ƒ is a probabilistic function.

31. The method of claim 18, wherein said server applies a function g to {Q, A, I(Q), C, A(C), S} to assign said score, wherein Q is an initial set of questions, A comprises corresponding answers to said initial set of questions, I(Q) is the encoded information, C is a set of challenge questions, A(C) comprises corresponding answers to C, and S comprises additional state information.

32. The method of claim 31, wherein said function g is a probabilistic function.

33. The method of claim 18, further comprising the step of updating a user-specific state {t, Q, A, I(Q), S} by applying a function h on {w, t, Q, A, I(Q), S}, where w is said score, t is a threshold, Q is an initial set of questions, A comprises corresponding answers, I(Q) is the encoded information and S comprises additional state information.

34. The method of claim 33, wherein said function h is a probabilistic function.

35. A knowledge-based authentication server for restricting access of a user to a restricted resource, comprising:

a memory; and
at least one hardware device, coupled to the memory, operative to implement the following steps:
challenging said user with one or more questions requiring knowledge by said user, wherein said user previously provided one or more answers to said one or more questions during a set-up phase, wherein at least one of said answers provided by said user encode one or more of historical, inter-relational and contextual information of said user using an encoding scheme defined between said server and said user to signal a fraudulent access attempt;
receiving a response from said user to said one or more questions, wherein at least a portion of said response is encoded by said user using said encoding scheme defined between said server and said user to signal said fraudulent access attempt; and
granting access to said restricted resource if one or more predefined response criteria are satisfied, wherein said one or more predefined response criteria comprises an assessment of whether said encoded portion of said response satisfies said encoding scheme.

36. The server of claim 35, wherein said encoding scheme comprises an intentionally incorrect answer to a particular question among a plurality of questions.

37. The server of claim 36, wherein said particular question is determined by a slack value defined between said server and said user.

38. The server of claim 35, wherein said encoding scheme comprises providing an n-th order answer to a particular question having a plurality of possible answers.

39. The server of claim 38, wherein said n-th order is previously defined between said server and said user.

40. The server of claim 35, wherein said encoding scheme comprises a requirement that said user shall not answer any question that addresses a previously defined blocked topic.

41. The server of claim 35, wherein said encoding scheme comprises determining an index based on answers of said user to a plurality of control questions, wherein said index identifies one of a plurality of possible equivalent answers to a primary question.

42. The server of claim 35, wherein said encoding scheme comprises determining an index based on answers of said user to a plurality of control questions, wherein said index identifies one of a plurality of possible queries that can be answered in a database containing information that is personal to the user.

43. The server of claim 35, further comprising the step of determining a confidence score based on said assessment of whether said encoded portion of said response satisfies said encoding scheme.

44. The server of claim 43, wherein said confidence score assesses a credibility of said user.

45. The server of claim 43, wherein said predefined response criteria evaluates said confidence score relative to a threshold.

46. The server of claim 45, further comprising the step of employing a fraud remediation server when said confidence score is within a predefined tolerance of said threshold.

47. An article of manufacture for knowledge-based authentication by a server for restricting access of a user to a restricted resource, comprising a non-transitory machine readable recordable medium containing one or more programs which when executed implement the steps of:

challenging said user with one or more questions requiring knowledge by said user, wherein said user previously provided one or more answers to said one or more questions during a set-up phase, wherein at least one of said answers provided by said user encode one or more of historical, inter-relational and contextual information of said user using an encoding scheme defined between said server and said user to signal a fraudulent access attempt;
receiving a response from said user to said one or more questions, wherein at least a portion of said response is encoded by said user using said encoding scheme defined between said server and said user to signal said fraudulent access attempt; and
granting access to said restricted resource if one or more predefined response criteria are satisfied, wherein said one or more predefined response criteria comprises an assessment of whether said encoded portion of said response satisfies said encoding scheme.

48. A knowledge-based authentication server for restricting access of a user to a restricted resource, comprising:

a memory; and
at least one hardware device, coupled to the memory, operative to implement the following steps:
receiving a plurality of answers from said user during a set-up phase to a set of personal questions, wherein at least one of said answers received from said user encode one or more of historical, inter-relational and contextual information of said user using an encoding scheme defined between said server and said user to signal a fraudulent access attempt;
challenging said user with one or more questions from said set of personal questions;
receiving a response from said user to said one or more questions from said set;
assigning a score to said response, wherein said score is based on said encoded information; and
granting access to said restricted resource based on said score.

49. The server of claim 48, wherein said at least one hardware device is further configured to repeat said set-up phase to update one or more of said set of personal questions, said corresponding answers and said encoded historical, inter-relational or contextual information of said user.

50. The server of claim 48, wherein said score indicates a likelihood that said user has been impersonated.

51. The server of claim 48, wherein said challenging step further comprises the step of challenging said user with a set of C=ƒ(Q, A, I(Q), S) challenge questions, where ƒ is a function applied on an initial set of questions Q, their corresponding answers A, the encoded information I(Q) and additional state information S.

52. The server of claim 51, wherein said function ƒ generates a random subset C of Q.

53. The server of claim 51, wherein said function ƒ is a probabilistic function.

54. The server of claim 48, wherein said server applies a function g to {Q, A, I(Q), C, A(C), S} to assign said score, wherein Q is an initial set of questions, A comprises corresponding answers to said initial set of questions, I(Q) is the encoded information, C is a set of challenge questions, A(C) comprises corresponding answers to C, and S comprises additional state information.

55. The server of claim 54, wherein said function g is a probabilistic function.

56. The server of claim 48, further comprising the step of updating a user-specific state {t, Q, A, I(Q), S} by applying a function h on {w, t, Q, A, I(Q), S}, where w is said score, t is a threshold, Q is an initial set of questions, A comprises corresponding answers, I(Q) is the encoded information and S comprises additional state information.

57. The server of claim 56, wherein said function h is a probabilistic function.

58. An article of manufacture for knowledge-based authentication by a server for restricting access of a user to a restricted resource, comprising a non-transitory machine readable recordable medium containing one or more programs which when executed implement the steps of:

receiving a plurality of answers from said user during a set-up phase to a set of personal questions, wherein at least one of said answers received from said user encode one or more of historical, inter-relational and contextual information of said user using an encoding scheme defined between said server and said user to signal a fraudulent access attempt;
challenging said user with one or more questions from said set of personal questions;
receiving a response from said user to said one or more questions from said set;
assigning a score to said response, wherein said score is based on said encoded information; and
granting access to said restricted resource based on said score.
Referenced Cited
U.S. Patent Documents
5442342 August 15, 1995 Kung
7389275 June 17, 2008 Kemper et al.
8424061 April 16, 2013 Rosenoer
20030158815 August 21, 2003 Yashida et al.
20030200137 October 23, 2003 Drummond
20050039056 February 17, 2005 Bagga et al.
20060020501 January 26, 2006 Leicht et al.
20080005037 January 3, 2008 Hammad et al.
20080319869 December 25, 2008 Carlson et al.
20100082612 April 1, 2010 Duan et al.
20100205652 August 12, 2010 Bouchard et al.
20120088222 April 12, 2012 Considine et al.
20130263230 October 3, 2013 Gorodyansky et al.
Other references
  • U.S. Appl. No. 13/249,957, filed Sep. 30, 2011, entitled “Methods and Apparatus for Secure and Reliable Transmission of Messages Over a Silent Alarm Channel.”
  • Ali et al, Enhanced Knowledge Based Authentication Using Iterative Session Parameters, World Academy of Science, Engineering and Technology, pp. 293-299, 2010.
  • Rabkin, Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook, Symposium on Usable Privacy and Security (SOUPS) 2008, Jul. 23-25, 2008, pp. 1-11.
Patent History
Patent number: 9021553
Type: Grant
Filed: Mar 30, 2012
Date of Patent: Apr 28, 2015
Assignee: EMC Corporation (Hopkinton, MA)
Inventors: Thomas S. Corn (Newton, MA), Ari Juels (Brookline, MA), Nikolaos Triandopoulos (Arlington, MA)
Primary Examiner: Mohammad L Rahman
Application Number: 13/436,125